From f2f502185dd1fafeb1e9cfa11196ff90cfb56238 Mon Sep 17 00:00:00 2001 From: Wessel Nieboer Date: Wed, 11 Feb 2026 04:35:34 +0100 Subject: [PATCH 1/2] Validate buffer length before reading fields in Packet::readFrom readFrom reads the header byte, transport codes (4 bytes), and path_len from the source buffer before any length validation. With a short input, these reads go past the end of the buffer. Add upfront length checks: minimum 2 bytes overall, transport codes require 4 additional bytes, and path must fit before the remaining payload. --- src/Packet.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/Packet.cpp b/src/Packet.cpp index aad3e2f48..66b65ba1b 100644 --- a/src/Packet.cpp +++ b/src/Packet.cpp @@ -63,9 +63,11 @@ uint8_t Packet::writeTo(uint8_t dest[]) const { } bool Packet::readFrom(const uint8_t src[], uint8_t len) { + if (len < 2) return false; // minimum: header + path_len uint8_t i = 0; header = src[i++]; if (hasTransportCodes()) { + if (i + 4 >= len) return false; // need 4 bytes for transport codes + path_len after memcpy(&transport_codes[0], &src[i], 2); i += 2; memcpy(&transport_codes[1], &src[i], 2); i += 2; } else { @@ -75,9 +77,8 @@ bool Packet::readFrom(const uint8_t src[], uint8_t len) { if (!isValidPathLen(path_len)) return false; // bad encoding uint8_t bl = getPathByteLen(); + if (i + bl >= len) return false; // path + at least 1 byte payload must fit memcpy(path, &src[i], bl); i += bl; - - if (i >= len) return false; // bad encoding payload_len = len - i; if (payload_len > sizeof(payload)) return false; // bad encoding memcpy(payload, &src[i], payload_len); //i += payload_len; From d41863a1f5c2c4259f67231d7ceeb736eb146a8b Mon Sep 17 00:00:00 2001 From: Wessel Nieboer Date: Wed, 11 Feb 2026 04:43:33 +0100 Subject: [PATCH 2/2] Clarify bounds check comment in Packet::readFrom --- src/Packet.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Packet.cpp b/src/Packet.cpp index 66b65ba1b..3944eaf89 100644 --- a/src/Packet.cpp +++ b/src/Packet.cpp @@ -67,7 +67,7 @@ bool Packet::readFrom(const uint8_t src[], uint8_t len) { uint8_t i = 0; header = src[i++]; if (hasTransportCodes()) { - if (i + 4 >= len) return false; // need 4 bytes for transport codes + path_len after + if (i + 4 >= len) return false; // need 4 transport bytes + the path_len byte memcpy(&transport_codes[0], &src[i], 2); i += 2; memcpy(&transport_codes[1], &src[i], 2); i += 2; } else {